|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
1.2.2 Challenge Handshake Authentication Protocol (CHAP)
The Challenge Handshake Authentication
Protocol, described by RFC 1994, authenticates a user by way of a three
way handshake. First, the server sends the client a challenge
message. (i.e., the server challenges the client.)
Second, the client uses the message that is sent, along with the
ID and the secret (the users password), to create a special code
value called a hash, typically using MD5, and sends the hash back to
the server. (i.e., the client responds with the other half of the
challenge handshake.) Third, the server performs the
same hashing function. In theory, the MD5 hash values will be equal,
which gives authentication. This is repeated at random intervals
during the session. By changing the ID value with each session, a replay
attack is not possible. See 4.1.1 for explanations of hashing and
CHAP is most often used for PPP authentication.
Firms such as Cisco and Microsoft have produced variations on the basic
CHAP model, such as Microsofts MS-CHAP, with extensions specific
to the Windows NT environment.
Although like Kerberos, CHAP avoids sending the password over the wire, it still has security issues. In particular, the challenge/response mechanism is only as strong as the secret used to calculate the response. This means that users still need to choose good passwords for example, not words that appear in any dictionary. Also, the protocol itself contains some weaknesses, including information disclosure, as documented in the paper, Cheating CHAP.58
CHAP 3-Way Handshake
CHAP uses a 3-way handshake in which the server sends the client a challenge message, the client responds with a message encrypted into an MD5 hash using its password, and the server verifies that the message was encrypted with the right password by encrypting the same message with its version of the users password and making sure both messages hash codes match.
CHAP protects against session hijacking by performing this handshake at random times during a session.
Figure 5: CHAP can re-challenge at random times.
58. Krahmer, Sebastian, Cheating CHAP, http://packetstormsecurity.nl/groups/teso/chap.pdf, February 2002.
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.